Secu­ri­ty breaches

What is a secu­ri­ty breach?

In the case of per­so­nal data, a data breach means that per­so­nal data is lost, sto­len, misu­s­ed or other­wi­se com­pro­mi­sed wit­hout aut­ho­rizati­on or unintentionally. 

Typi­cal examp­les are 

  • Cyber attack (e.g. a ran­som attack)
  • Acci­den­tal dis­clo­sure of per­so­nal data (sen­ding an e‑mail to many reci­pi­en­ts in cc; pro­vi­ding an Excel with per­so­nal data in a hid­den sheet)
  • Loss of a data car­ri­er (lap­top with per­so­nal data for­got­ten on the train, USB stick lost)
  • Expo­sure of per­so­nal data on the Inter­net (file­sha­re with per­so­nal data open­ly visible)
  • Unavai­la­bi­li­ty of an important appli­ca­ti­on with per­so­nal data

Secu­ri­ty brea­ches can have serious con­se­quen­ces – for the indi­vi­du­als affec­ted and for the company. 

Do you need support?

Plea­se cont­act us:

Cont­acts

Do I have to report an injury?

Noti­fi­ca­ti­on to the FDPIC

Yes, data brea­ches must be repor­ted under cer­tain conditions:

Noti­fi­ca­ti­on to the FDPIC is only man­da­to­ry in the case of high risks (due to the vio­la­ti­on) for affec­ted per­sons. This is not a clear con­cept and the­re are no bin­ding examp­les in Switzerland. 

Aids

Short test of man­da­to­ry report­ing with ChatGPT 
VUD: Form Data Breach

If a noti­fi­ca­ti­on is man­da­to­ry, it must as quick­ly as pos­si­ble take place. The­re is no fixed dura­ti­on, and cer­tain cla­ri­fi­ca­ti­ons may be made. In case of doubt, howe­ver, you should report more quick­ly and then report later if necessary.

Noti­fi­ca­ti­on form FDPIC

The FDPIC pro­vi­des a form for report­ing to him. Howe­ver, the form asks for too much infor­ma­ti­on and the FDPIC is sub­ject to the prin­ci­ple of publi­ci­ty. Reports can the­r­e­fo­re beco­me public. A report by e‑mail is often more sensible.

Noti­fi­ca­ti­on form FDPIC

Noti­fi­ca­ti­on to affec­ted persons

Data secu­ri­ty brea­ches must be repor­ted to the per­sons con­cer­ned if they need to take action to pro­tect them­sel­ves (e.g. chan­ge a pass­word, block an account, renew a pass­port). This may be the case even if no report has to be made to the FDPIC.

What do cri­ti­cal infras­truc­tures have to report?

The Fede­ral Act on Infor­ma­ti­on Secu­ri­ty at the Con­fe­de­ra­ti­on (ISG) will be sup­ple­men­ted by pro­vi­si­ons on the report­ing obli­ga­ti­on of ope­ra­tors of cer­tain cri­ti­cal infras­truc­tures. The revi­sed pro­vi­si­ons are ente­red into force on April 1, 2025

Cer­tain cri­ti­cal infras­truc­tures (Kri­tis) must report cyber attacks: 

Per­sons sub­ject to regi­stra­ti­on are, for exam­p­le, public aut­ho­ri­ties, social insu­rance insti­tu­ti­ons inclu­ding pen­si­on funds, ener­gy sup­pliers, banks, listed hos­pi­tals, medi­cal labo­ra­to­ries, phar­maceu­ti­cal manu­fac­tu­r­ers or dis­tri­bu­tors, regi­stered FDA and cer­tain pro­vi­ders in the SaaS, cloud and hard­ware sec­tor and various other enti­ties, pro­vi­ded that they have a Head­quar­ters in Switz­er­land have.

The fol­lo­wing must be repor­ted At least par­ti­al­ly suc­cessful cyber­at­tacks. The­se are deli­be­ra­te impairm­ents of the con­fi­den­tia­li­ty, avai­la­bi­li­ty or inte­gri­ty of infor­ma­ti­on or the tracea­bi­li­ty of its pro­ce­s­sing – the key term is “deli­be­ra­te”: human error is not cover­ed. Neither are port scans and the like.

Howe­ver, cyber­at­tacks only need to be repor­ted if

  • employees or third par­ties are affec­ted by system inter­rup­ti­ons or
    Kri­tis can only main­tain its acti­vi­ties with emer­gen­cy plans
  • busi­ness-rele­vant infor­ma­ti­on is view­ed, modi­fi­ed or dis­c­lo­sed by unaut­ho­ri­zed per­sons or the­re is a secu­ri­ty breach under the DPA (step 1 above)
  • the attack remain­ed unde­tec­ted for at least 90 days or
  • the Kri­tis or per­sons working for them are affec­ted by black­mail, thre­ats or coercion.

The noti­fi­ca­ti­on must be sent to the Fede­ral Office for Cyber Secu­ri­ty BACS.

Regi­stra­ti­on form →

Working mate­ri­als on the ISG

We pro­vi­de various mate­ri­als on the ISG, inclu­ding edi­ti­ons of the law with dis­patch and expl­ana­to­ry report.

Working mate­ri­als

Are the­re any other report­ing obligations?

In addi­ti­on to the report­ing obli­ga­ti­ons under the DPA, the GDPR and the GDPR, the­re may be fur­ther report­ing obli­ga­ti­ons that are moti­va­ted by the spe­ci­fic objec­ti­ves of the respec­ti­ve legal system. The­se include the following:

  • Report­ing obli­ga­ti­ons from a con­tract, also from a fidu­cia­ry duty
  • Art. 29 FINMASA (e.g. for banks, insu­r­ers or finan­cial insti­tu­ti­ons); see the Super­vi­so­ry noti­ce 03/2024
    and the Super­vi­so­ry noti­ce 05/2020 and the requi­re­ments of the RS Ope­ra­tio­nal risks and resilience
  • Listing Rules: Listed com­pa­nies must report pri­ce-sen­si­ti­ve facts in accordance with the SIX Listing Rules
  • Artic­le 96 of the Tele­com­mu­ni­ca­ti­ons Ser­vices Ordi­nan­ce (FDV)
  • Fede­ral Act on the Elec­tro­nic Pati­ent Record: Obli­ga­ti­ons of the parent companies
  • Medi­cal devices: report­ing obli­ga­ti­on to Swiss­me­dic under cer­tain circumstances
  • Ener­gy sup­plier: cf. ENTSO‑E, Code for cyber security